Active Members akkiliON Posted December 10, 2014 Active Members Report Share Posted December 10, 2014 (edited) Starting today and extending through the end of 2014, all Whitehat bugs in our ads code will receive double bounties. We recently completed a comprehensive security audit of this area ourselves. We found and fixed a number of security bugs but would like to encourage additional scrutiny from Whitehats to see what we might have missed. Also, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them. Below are some tips for successfully finding bugs in ads code.Here is a sampling of past Whitehat bugs in ads that we've fixed:Redeeming the same ads coupon multiple times without expiry.Retrieving the name of an unpublished Page via the Ads Create Tool by guessing its Page ID.Arbitrary local file read via a .zip symlink (more details in this post)Injecting JavaScript into an ads report email and then leveraging a CSRF bug to make a victim send a malicious email to a target on your behalf. Ads can be organized into a few sections:UI - The UI is made up of our old and new Ads Manager tools (at /ads/manage/), as well as the JavaScript-based Power Editor tool that supports bulk ad edits and uploads. Most of the serious Whitehat bugs in this area have surfaced around permissions, viewing ads, or parts of an ad that is not yours.Ads API (https://developers.facebook.com/docs/ads-api) - The documentation for this frequently used API is a good introduction to the describe components of ads: a user ID, a campaign, an account, creative and so on. While not present in the ads API itself, the following writeup describes an excellent bug of the type that might be found in there: Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User. Analytics, also called insights - Analytics is what measures the performance of an ad, how well the ads are performing, and so on. Like with UI, the bugs we've seen in this area that had the largest impact have been missing or incorrect permissions checks. For example, we had an issue where someone could access insights for any application via a Graph API token with the read_insights permission. Everything else - There is a lot of backend code to correctly target, deliver, bill and measure ads. This code isn't directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.At this stage of our bug bounty program, it's uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs. Ads-related code is the main part of Facebook that has and enforces roles, so it's also worthwhile to understand them: https://www.facebook.com/help/289207354498410. Among these roles, the permissions for reading or writing billing information are the most relevant. The best way to report an issue is to use your Whitehat test account: https://www.facebook.com/whitehat/accounts/. Good luck, and keep the submissions coming! Surs?: https://www.facebook.com/notes/protect-the-graph/doubling-up-on-ads-code-bounties/1519314984975314 Edited December 10, 2014 by akkiliON 1 Quote Link to comment Share on other sites More sharing options...
